<a href='https://github.com/angular/angular.js/edit/v1.8.x/src/ng/sce.js?message=docs($sceDelegate)%3A%20describe%20your%20change...#L90' class='improve-docs btn btn-primary'><i class="glyphicon glyphicon-edit">&nbsp;</i>Improve this Doc</a>



<a href='https://github.com/angular/angular.js/tree/v1.8.2/src/ng/sce.js#L90' class='view-source pull-right btn btn-primary'>
  <i class="glyphicon glyphicon-zoom-in">&nbsp;</i>View Source
</a>


<header class="api-profile-header">
  <h1 class="api-profile-header-heading">$sceDelegate</h1>
  <ol class="api-profile-header-structure naked-list step-list">
    
  <li>
    <a href="api/ng/provider/$sceDelegateProvider">- $sceDelegateProvider</a>
  </li>

    <li>
      - service in module <a href="api/ng">ng</a>
    </li>
  </ol>
</header>





<div class="api-profile-description">
  <h2 id="overview">Overview</h2>
  <p><code>$sceDelegate</code> is a service that is used by the <code>$sce</code> service to provide <a href="api/ng/service/$sce">Strict
Contextual Escaping (SCE)</a> services to AngularJS.</p>
<p>For an overview of this service and the functionnality it provides in AngularJS, see the main
page for <a href="api/ng/service/$sce">SCE</a>. The current page is targeted for developers who need to alter how
SCE works in their application, which shouldn&#39;t be needed in most cases.</p>
<div class="alert alert-danger">
AngularJS strongly relies on contextual escaping for the security of bindings: disabling or
modifying this might cause cross site scripting (XSS) vulnerabilities. For libraries owners,
changes to this service will also influence users, so be extra careful and document your changes.
</div>

<p>Typically, you would configure or override the <a href="api/ng/service/$sceDelegate">$sceDelegate</a> instead of
the <code>$sce</code> service to customize the way Strict Contextual Escaping works in AngularJS.  This is
because, while the <code>$sce</code> provides numerous shorthand methods, etc., you really only need to
override 3 core functions (<code>trustAs</code>, <code>getTrusted</code> and <code>valueOf</code>) to replace the way things
work because <code>$sce</code> delegates to <code>$sceDelegate</code> for these operations.</p>
<p>Refer <a href="api/ng/provider/$sceDelegateProvider">$sceDelegateProvider</a> to configure this service.</p>
<p>The default instance of <code>$sceDelegate</code> should work out of the box with little pain.  While you
can override it completely to change the behavior of <code>$sce</code>, the common case would
involve configuring the <a href="api/ng/provider/$sceDelegateProvider">$sceDelegateProvider</a> instead by setting
your own trusted and banned resource lists for trusting URLs used for loading AngularJS resources
such as templates.  Refer <a href="api/ng/provider/$sceDelegateProvider#trustedResourceUrlList">$sceDelegateProvider.trustedResourceUrlList</a> and <a href="api/ng/provider/$sceDelegateProvider#bannedResourceUrlList">$sceDelegateProvider.bannedResourceUrlList</a></p>

</div>




<div>
  

  

  <h2 id="usage">Usage</h2>
    
      <p><code>$sceDelegate();</code></p>


    

    
    

    

  
<h2 id="$sceDelegate-methods">Methods</h2>
<ul class="methods">
  <li>
    <h3 id="trustAs"><p><code>trustAs(type, value);</code></p>

</h3>
    <div><p>Returns a trusted representation of the parameter for the specified context. This trusted
object will later on be used as-is, without any security check, by bindings or directives
that require this security context.
For instance, marking a string as trusted for the <code>$sce.HTML</code> context will entirely bypass
the potential <code>$sanitize</code> call in corresponding <code>$sce.HTML</code> bindings or directives, such as
<code>ng-bind-html</code>. Note that in most cases you won&#39;t need to call this function: if you have the
sanitizer loaded, passing the value itself will render all the HTML that does not pose a
security risk.</p>
<p>See <a href="api/ng/service/$sceDelegate#getTrusted">getTrusted</a> for the function that will consume those
trusted values, and <a href="api/ng/service/$sce">$sce</a> for general documentation about strict contextual
escaping.</p>
</div>

    

    
    <h4>Parameters</h4>
    
<table class="variables-matrix input-arguments">
  <thead>
    <tr>
      <th>Param</th>
      <th>Type</th>
      <th>Details</th>
    </tr>
  </thead>
  <tbody>
    
    <tr>
      <td>
        type
        
        
      </td>
      <td>
        <a href="" class="label type-hint type-hint-string">string</a>
      </td>
      <td>
        <p>The context in which this value is safe for use, e.g. <code>$sce.URL</code>,
    <code>$sce.RESOURCE_URL</code>, <code>$sce.HTML</code>, <code>$sce.JS</code> or <code>$sce.CSS</code>.</p>

        
      </td>
    </tr>
    
    <tr>
      <td>
        value
        
        
      </td>
      <td>
        <a href="" class="label type-hint type-hint-object">*</a>
      </td>
      <td>
        <p>The value that should be considered trusted.</p>

        
      </td>
    </tr>
    
  </tbody>
</table>

    

    

    
    <h4>Returns</h4>
    <table class="variables-matrix return-arguments">
  <tr>
    <td><a href="" class="label type-hint type-hint-object">*</a></td>
    <td><p>A trusted representation of value, that can be used in the given context.</p>
</td>
  </tr>
</table>
    </li>
  
  <li>
    <h3 id="valueOf"><p><code>valueOf(value);</code></p>

</h3>
    <div><p>If the passed parameter had been returned by a prior call to <a href="api/ng/service/$sceDelegate#trustAs"><code>$sceDelegate.trustAs</code></a>, returns the value that had been passed to <a href="api/ng/service/$sceDelegate#trustAs"><code>$sceDelegate.trustAs</code></a>.</p>
<p>If the passed parameter is not a value that had been returned by <a href="api/ng/service/$sceDelegate#trustAs"><code>$sceDelegate.trustAs</code></a>, it must be returned as-is.</p>
</div>

    

    
    <h4>Parameters</h4>
    
<table class="variables-matrix input-arguments">
  <thead>
    <tr>
      <th>Param</th>
      <th>Type</th>
      <th>Details</th>
    </tr>
  </thead>
  <tbody>
    
    <tr>
      <td>
        value
        
        
      </td>
      <td>
        <a href="" class="label type-hint type-hint-object">*</a>
      </td>
      <td>
        <p>The result of a prior <a href="api/ng/service/$sceDelegate#trustAs"><code>$sceDelegate.trustAs</code></a>
    call or anything else.</p>

        
      </td>
    </tr>
    
  </tbody>
</table>

    

    

    
    <h4>Returns</h4>
    <table class="variables-matrix return-arguments">
  <tr>
    <td><a href="" class="label type-hint type-hint-object">*</a></td>
    <td><p>The <code>value</code> that was originally provided to <a href="api/ng/service/$sceDelegate#trustAs"><code>$sceDelegate.trustAs</code></a> if <code>value</code> is the result of such a call.  Otherwise, returns
    <code>value</code> unchanged.</p>
</td>
  </tr>
</table>
    </li>
  
  <li>
    <h3 id="getTrusted"><p><code>getTrusted(type, maybeTrusted);</code></p>

</h3>
    <div><p>Given an object and a security context in which to assign it, returns a value that&#39;s safe to
use in this context, which was represented by the parameter. To do so, this function either
unwraps the safe type it has been given (for instance, a <a href="api/ng/service/$sceDelegate#trustAs"><code>$sceDelegate.trustAs</code></a> result), or it might try to sanitize the value given, depending on
the context and sanitizer availablility.</p>
<p>The contexts that can be sanitized are $sce.MEDIA_URL, $sce.URL and $sce.HTML. The first two are available
by default, and the third one relies on the <code>$sanitize</code> service (which may be loaded through
the <code>ngSanitize</code> module). Furthermore, for $sce.RESOURCE_URL context, a plain string may be
accepted if the resource url policy defined by <a href="api/ng/provider/$sceDelegateProvider#trustedResourceUrlList"><code>$sceDelegateProvider.trustedResourceUrlList</code></a> and <a href="api/ng/provider/$sceDelegateProvider#bannedResourceUrlList"><code>$sceDelegateProvider.bannedResourceUrlList</code></a> accepts that resource.</p>
<p>This function will throw if the safe type isn&#39;t appropriate for this context, or if the
value given cannot be accepted in the context (which might be caused by sanitization not
being available, or the value not being recognized as safe).</p>
<div class="alert alert-danger">
Disabling auto-escaping is extremely dangerous, it usually creates a Cross Site Scripting
(XSS) vulnerability in your application.
</div></div>

    

    
    <h4>Parameters</h4>
    
<table class="variables-matrix input-arguments">
  <thead>
    <tr>
      <th>Param</th>
      <th>Type</th>
      <th>Details</th>
    </tr>
  </thead>
  <tbody>
    
    <tr>
      <td>
        type
        
        
      </td>
      <td>
        <a href="" class="label type-hint type-hint-string">string</a>
      </td>
      <td>
        <p>The context in which this value is to be used (such as <code>$sce.HTML</code>).</p>

        
      </td>
    </tr>
    
    <tr>
      <td>
        maybeTrusted
        
        
      </td>
      <td>
        <a href="" class="label type-hint type-hint-object">*</a>
      </td>
      <td>
        <p>The result of a prior <a href="api/ng/service/$sceDelegate#trustAs"><code>$sceDelegate.trustAs</code></a> call, or anything else (which will not be considered trusted.)</p>

        
      </td>
    </tr>
    
  </tbody>
</table>

    

    

    
    <h4>Returns</h4>
    <table class="variables-matrix return-arguments">
  <tr>
    <td><a href="" class="label type-hint type-hint-object">*</a></td>
    <td><p>A version of the value that&#39;s safe to use in the given context, or throws an
    exception if this is impossible.</p>
</td>
  </tr>
</table>
    </li>
  </ul>
  
  



  
</div>


